So I decided to write a packet sniffer/editor that works by utilizing a system wide hook of the Winsock send/recv functions. I don't plan to support WSA* functions from Winsock 2.

I want to be able to filter packets by process among other things such as src/dest ports, protocol and what not. I'm stumped however, on how to filter by process.

I can only think of doing this by scanning memory or perhaps reading the stack to find out where the api call returns to and checking if its within selected process memory. Any other methods or ideas on how to do this would be appreciated.

P.S. I realize for things like src/dest port filtering and the like I may have to utilize a lower level method of capturing packets to obtain access to the tcp header. A library such as libpcap for the win32 platform for example would probably work.

Hook the socket() function to call GetCurrentProcessId and create a system-wide table mapping sockets to their owners. Then in send and recv check if the socket being used belongs to a process for which hooking is desired. A driver to manage the table would probably be needed (to prune it and such)._________________

Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum